Security Implications of China’s Auto Dominance

At the end of September, the 2023 China International Automobile Exhibition opened in Tianjin. An official representing the China Council for the Promotion of International Trade (CCPIT) delivered a speech, announcing that China’s automobile exports are expected to exceed four million units this year (Kuai Keji, September 28). According to the most recent data, China exported just shy of three million vehicles from January to August, up 61.9 percent from 2022. This means that China is set to surpass Japan—as it overtook Germany last year—to become the world’s largest automobile exporter for the first time.

Cars are increasingly conceived of as devices connected to a wider digital infrastructure. As such, they present clear security concerns, just as other emerging technologies do. Chinese auto brands in particular pose risks for the West, as do cars that contain core components manufactured by Chinese companies. Much of the debate surrounding Chinese Electric Vehicles (EVs) in recent weeks has focused on the issue of economic security, largely due to EU Commissioner Ursula von der Leyen’s recent State of the Union address, which she used to announce the opening of an anti-subsidies investigation into Chinese auto companies (European Commission, September 13). However, lost in this economic security framing are the additional national security and cybersecurity concerns from a potential influx of certain Chinese vehicles.

Globally, the auto industry is one of the worst offenders when it comes to privacy violations. A new report from the software NGO Mozilla surveyed the privacy policies of 25 American, Korean, German, and Japanese brands, finding that every single one “collects more personal data than necessary and uses that information for a reason other than to operate your vehicle and manage their relationship with you” (Mozilla Foundation, September 6). This data extends to medical and genetic information, and even to drivers’ sexual activity. Many of these companies say they can share or sell this data to service providers, data brokers, and other businesses. More troubling is the fact that over half of the firms surveyed say they can share drivers’ information with governments or law enforcement agencies in response to a mere “informal request.” Given the lax approach to data security from the auto industry more widely, telematic vehicles present an easy avenue for the Chinese government to exploit should they wish to do so. As with previous instances (such as ZTE, Huawei, and TikTok), the ability for the Beijing or state-linked groups to access this data, as well as to potentially push updates to vehicle software that could cause significant damage, is an issue worthy of more serious attention from lawmakers and regulators across the globe.

Telematics and Teslas: Chinese Concerns

Telsa is the worst offender in this regard. An American company, Tesla nevertheless manufactures over half of its EVs at its principal factory in Shanghai (Insideevs, January 8), which the company built thanks to generous policies from the local government. Despite this, the Chinese regime has long been suspicious of the firm’s vehicles, whose abundance of sensors (and permissive privacy policy) allow a high degree of surveillance on the part of the company. For several years, concerns about Teslas being used to spy or to acquire sensitive information have been voiced frequently in Chinese media. One article from 2021 quotes an official as saying that “the lack of regulation has been acknowledged very suddenly, and to some extent, it is equivalent to opening a ‘big skylight (大天窗)’ on our national security system” (LeiPhone, March 23, 2021; Sohu, May 14, 2021). On September 20, a post from a Chinese-language media outlet on the social media platform X (formerly Twitter) showed Xi Jinping visiting Yiwu, Zhejiang Province, and signs saying that the neighborhood was “off-limits to Teslas (附近区域禁止特斯拉 进入)” (Voice of Hope, September 20). This follows a story that emerged in August this year, sparked by a netizen posting a picture of a similar sign in the parking lot of Yueyang Sanhuo Airport, which read “Teslas are prohibited from entering the classified control area.” The stated justification from airport staff to local reporters at the time was the risk of secrets being “leaked (泄密)” to Teslas (Jinguan News, August 15). In August 2022, local officials also banned Teslas from driving in Beidaihe (where Xi Jinping decamps for two weeks in the summer) over matters of “national affairs” (国家事务) (VOA, June 21, 2022).

The Chinese government is clearly concerned about the threat that cars pose for personal data and privacy protection. On September 26, the China Academy of Information and Communications Technology (CAICT), which is subordinated to the Ministry of Industry and Information Technology (MIIT), released a white paper on “Key Elements of Data” (CAICT September 26). This updates white papers from previous years, but usefully summarizes the broad contours of the government’s views on data, noting that “big data” was first included in the government’s work report as early as 2014. Another CAICT report from July is titled “National Telematics Industry Standard System Construction Guideline (国家车联网产业标准体系建设指南)” (CAICT, July 18). This report specifically covers “telematics (车联网),” which refers to the use of information technology to transmit, store, and receive information to and from vehicles. One of the first stated principles of the text is to “build a solid bottom line to ensure safety.” The guidelines go on to map out a multi-phase plan to formulate and revise over 140 standards related to smart, connected cars by 2030, and to develop a synergistic “vehicle-road-cloud” system with domestic and international coordination.

The seriousness with which China is pursuing the regulation of data more generally and telematic vehicles specifically demonstrates a keen awareness of potential risks. This comes from an offensive mindset as much as a defensive one. The fears that Teslas have provoked within the Party rests on the assumption that the US government could access any data that these American cars collect. This is revealing, as the PRC government’s view of how it thinks the US government reflects its own modus operandi: If the situation was reversed, Beijing would very likely be able to access data collected by a Chinese vehicle on foreign soil. While China has sought to downplay the possibilities of Chinese cars conducting surveillance activities (China Daily, August 8), there is nevertheless very real cause for concern (The Telegraph, August 8; The Spectator, August 7).

Areas of Concern for Western Governments

British Foreign Secretary James Cleverly recently gave an interview with The Spectator Magazine’s “Chinese Whispers podcast,” in which he discussed his recent official visit to Beijing (The Spectator, October 2). In detailing how the visit was planned, Cleverly mentions that the Chinese side initially wanted him to use cars that they provided for the duration of his trip, rather than one provided by the British Embassy. The motivations from the Chinese side are clear: a desire to weaponize these vehicles as surveillance devices.

Links between Chinese businesses and the government or military constitute an additional layer of distrust in every sector, as they suggest that the firms are more easily coerced to operate on behalf of the state. Such links undoubtedly exist in the auto industry. Leapmotor, a Chinese auto manufacturer, was founded by Zhu Jiangming (朱江明) and Fu Liquan (傅利泉) in 2015. They had previously founded Dahua Technology, which is currently sanctioned by the US Government for using surveillance cameras and software to provide “real-time Uyghur warnings” to the Chinese police (Sina Finance, September 23, 2022; IPVM, February 9, 2021). Another company, Qi-ANXIN Technology Group (奇安信科技), has won awards for their technology. One such award was bestowed at a conference co-sponsored by the China Automotive Engineering Research Institute, which has provided special vehicles to the PLA (Leiphone, June 30, 2022).

The United Kingdom has begun to get to grips with the potential abuses of digitally integrated vehicles and their vulnerability to cyberhacking or other malfeasance. The United States is similarly starting to consider the pitfalls: In September, Federal Communications Commission Chairwoman Jessica Rosenworcel asked US government agencies to consider declaring that certain Chinese companies pose “unacceptable national security risks” (Reuters, September 6). Those singled out include Quectel and Fibocom Wireless, which both manufacture Internet of Things (IoT) devices to be fitted inside cars.

Conclusion

The Chinese government has a highly developed approach to digital data, and a deep understanding of its importance in a digitally integrated world. The PRC’s legal framework gives the government the power to force companies to hand over proprietary data, and the heightened emphasis on national security within the PRC makes it increasingly likely that it will leverage this power to weaponize this data. The ubiquity of cars and the trend towards further connectivity—both areas in which the PRC has consciously positioned itself to dominate—presents a clear danger to societies Beijing perceives as hostile. One potentially positive corollary of von der Leyen’s anti-subsidies investigation will be to slow the advent of Chinese EVs and other vehicles into the European market (the US is still relatively protected from Chinese imports due to its high tariffs). This will provide lawmakers with more time to carefully assess privacy dangers and regulate the industry with the appropriate level of scrutiny.